Home » Data Protection » Network Security

NAC: Now? Or Never?

New tech gadgets and a highly mobile workforce have raised the security stakes for corporate networks. Network Access Control to the rescue? Perhaps, but experts debate the value and users face a confusing morass of options.

By Stacy Collett

Page 3

Some land-switch vendors like Nortel Networks and HP also have NAC solutions. "If your network is made up of switches from those vendors, you can add on some components and enable NAC," Orans says.

Appliances, which sit either in line with all network traffic or "out of band" for specific traffic, are very popular but more costly, particularly if several boxes are needed to handle a large number of network users. Infrastructure expenses are the hardest to quantify because the hardware and software can't be attributed specifically to network access control functions.

With so many choices and vendors in the market, some users say prices will eventually come down.

"Within five years time, products like these will be commoditized to the point where it will be extremely affordable," predicts Jorge Mercado, principle architect at MedicAlert. Right now, "these [solutions] are typically for larger companies. The vendors' pricing model is such that whoever visits your site and requires authentication has to be a direct source of revenue. That's not necessarily the case [for smaller companies], so I think that with time, nonprofit organizations such as MedicAlert will be able to afford to secure their websites and not have to worry about paying a whole lot of money for a solution."

3. The status quo.
Then there are political and operational concerns. IT departments fear that by keeping employees off the network due to a missed patch or out-of-date antivirus software, they're keeping staff from doing their jobs. "That's why we see a lot of monitoring instead of enforcement in the early stages of NAC. Some products allow system managers to simply fix the problem once it occurs in the network without quarantining a particular PC culprit.

"Another concern is, what if I keep the wrong-level person off the network? A C-level executive? That's potentially damaging," Orans says, "and it has been an obstacle to NAC adoption." In the insurance company's case, decision makers wanted to make sure that the flow of value continued despite the known virus threat, so they continued to monitor and fix the viruses rather than to shut down the network. "It's just like any security problem. If your Internet-facing e-commerce server gets a virus, the first thing they do is nothing," Langston explains. Shutting down the system could mean millions of dollars in losses. "If it's a regular virus, they'll let it go until they can figure out what to do."

What's more, even HIPAA and Sarbanes-Oxley requirements for data privacy don't specifically require NAC solutions. "We don't have to be covered if you go by the regulations," Fisher explains regarding MedicAlert's privacy responsibilities. "But we do act as though we were [required]. More importantly, California has a statute that requires us to be covered. It's not a requirement to use a product like this," but it does provide the functionality that they need to comply.